Which initial action can a network security engineer take to prevent a malicious actor from using a file-sharing application for data exfiltration without impacting users who still need to use file-sharing applications?

Use App-ID to limit access to file-sharing applications based on job functions.

Use DNS Security to limit access to file-sharing applications based on job functions.

Use App-ID to limit access to file-sharing applications based on job functions.

Use DNS Security to block all file-sharing applications and uploading abilities.

Use App-ID to block all file-sharing applications and uploading abilities.

What are three valid Panorama deployment options? (Choose three.)

As a virtual machine (ESXi, Hyper-V, KVM)

With a cloud service provider (AWS, Azure, GCP)

As a dedicated hardware appliance (M-100, M-200, M-500, M-600)

As a virtual machine (ESXi, Hyper-V, KVM)

With a cloud service provider (AWS, Azure, GCP)

As a container (Docker, Kubernetes, OpenShift)

On a Raspberry Pi (Model 4, Model 400, Model 5)

As a dedicated hardware appliance (M-100, M-200, M-500, M-600)

What does Policy Optimizer allow a systems engineer to do for an NGFW?

Identify Security policy rules with unused applications

Recommend best practices on new policy creation

Show unused licenses for Cloud-Delivered Security Services (CDSS) subscriptions and firewalls

Identify Security policy rules with unused applications

Act as a migration tool to import policies from third-party vendors

What is the minimum configuration to stop a Cobalt Strike Malleable C2 attack inline and in real time?

Advanced Threat Prevention and PAN-OS 10.2

Next-Generation CASB on PAN-OS 10.1

Advanced Threat Prevention and PAN-OS 10.2

Threat Prevention and Advanced WildFire with PAN-OS 10.0

DNS Security, Threat Prevention, and Advanced WildFire with PAN-OS 9.x

Which two statements clarify the functionality and purchase options for Palo Alto Networks AIOps for NGFW? (Choose two.)

It is offered in two license tiers: a free version and a premium version.

It uses telemetry data to forecast, preempt, or identify issues, and it uses machine learning (ML) to adjust and enhance the process.

It is offered in two license tiers: a commercial edition and an enterprise edition.

It is offered in two license tiers: a free version and a premium version.

It uses telemetry data to forecast, preempt, or identify issues, and it uses machine learning (ML) to adjust and enhance the process.

It forwards log data to Advanced WildFire to anticipate, prevent, or identify issues, and it uses machine learning (ML) to refine and adapt to the process.

Regarding APIs, a customer RFP states: 'The vendor's firewall solution must provide an API with an enforcement mechanism to deactivate API keys after two hours.' How should the response address this clause?

Yes - The default setting must be changed from no limit to 120 minutes.

Yes - This is the default setting for API keys.

No - The PAN-OS XML API does not support keys.

No - The API keys can be made, but there is no method to deactivate them based on time.

Yes - The default setting must be changed from no limit to 120 minutes.

An existing customer wants to expand their online business into physical stores for the first time. The customer requires NGFWs at the physical store to handle SD-WAN, security, and data protection needs, while also mandating a vendor-validated deployment method. Which two steps are valid actions for a systems engineer to take? (Choose two.)

Recommend the customer purchase Palo Alto Networks or partner-provided professional services to meet the stated requirements.

Create a bespoke deployment plan with the customer that reviews their cloud architecture, store footprint, and security requirements.

Recommend the customer purchase Palo Alto Networks or partner-provided professional services to meet the stated requirements.

Use Golden Images and Day 1 configuration to create a consistent baseline from which the customer can efficiently work.

Create a bespoke deployment plan with the customer that reviews their cloud architecture, store footprint, and security requirements.

Use the reference architecture 'On-Premises Network Security for the Branch Deployment Guide' to achieve a desired architecture.

Which three descriptions apply to a perimeter firewall? (Choose three.)

Network layer protection for the outer edge of a network

Primarily securing north-south traffic entering and leaving the network

Guarding against external attacks

Network layer protection for the outer edge of a network

Power utilization less than 500 watts sustained

Securing east-west traffic in a virtualized data center with flexible resource allocation

Primarily securing north-south traffic entering and leaving the network

Guarding against external attacks

While responding to a customer RFP, a systems engineer (SE) is presented the question, 'How do PANW firewalls enable the mapping of transactions as part of Zero Trust principles?' Which two narratives can the SE use to respond to the question? (Choose two.)

Explain how the NGFW can be placed in the network so it has visibility into every traffic flow.

Describe how Palo Alto Networks NGFW Security policies are built by using users, applications, and data objects.

Emphasize Zero Trust as an ideology, and that the customer decides how to align to Zero Trust principles.

Reinforce the importance of decryption and security protections to verify traffic that is not malicious.

Explain how the NGFW can be placed in the network so it has visibility into every traffic flow.

Describe how Palo Alto Networks NGFW Security policies are built by using users, applications, and data objects.

A company plans to deploy identity for improved visibility and identity-based controls for least privilege access to applications and data. The company does not have an on-premises Active Directory (AD) deployment, and devices are connected and managed by using a combination of Entra ID and Jamf.Which two supported sources for identity are appropriate for this environment? (Choose two.)

GlobalProtect with an internal gateway deployment

Cloud Identity Engine synchronized with Entra ID

User-ID agents configured for WMI client probing

GlobalProtect with an internal gateway deployment

Cloud Identity Engine synchronized with Entra ID

A systems engineer (SE) is working with a customer that is fully cloud-deployed for all applications. The customer is interested in Palo Alto Networks NGFWs but describes the following challenges:'Our apps are in AWS and Azure, with whom we have contracts and minimum-revenue guarantees. We would use the built-in firewall on the cloud service providers (CSPs), but the need for centralized policy management to reduce human error is more important.'Which recommendations should the SE make?

Cloud NGFWs at both CSPs; provide the customer a license for a Panorama virtual appliance from their CSP's marketplace of choice to centrally manage the systems.

Cloud NGFWs in AWS and VM-Series firewall in Azure; the customer selects a PAYG licensing Panorama deployment in their CSP of choice.

VM-Series firewalls in both CSPs; manually built Panorama in the CSP of choice on a host of either type: Palo Alto Networks provides a license.

VM-Series firewall and CN-Series firewall in both CSPs; provide the customer a private-offer Panorama virtual appliance from their CSP's marketplace of choice to centrally manage the systems.

A customer claims that Advanced WildFire miscategorized a file as malicious and wants proof, because another vendor has said that the file is benign.How could the systems engineer assure the customer that Advanced WildFire was accurate?

Use the WildFire Analysis Report in the log to show the customer the malicious actions the file took when it was detonated.

Review the threat logs for information to provide to the customer.

Use the WildFire Analysis Report in the log to show the customer the malicious actions the file took when it was detonated.

Open a TAG ticket for the customer and allow support engineers to determine the appropriate action.

Do nothing because the customer will realize Advanced WildFire is right.

Which statement applies to the default configuration of a Palo Alto Networks NGFW?

The default policy action for interzone traffic is deny, eliminating implicit trust between security zones.

Security profiles are applied to all policies by default, eliminating implicit trust of any data traversing the firewall.

The default policy action for intrazone traffic is deny, eliminating implicit trust within a security zone.

The default policy action allows all traffic unless explicitly denied.

The default policy action for interzone traffic is deny, eliminating implicit trust between security zones.

A company has multiple business units, each of which manages its own user directories and identity providers (IdPs) with different domain names. The company's network security team wants to deploy a shared GlobalProtect remote access service for all business units to authenticate users to each business unit's IdP.Which configuration will enable the network security team to authenticate GlobalProtect users to multiple SAML IdPs?

GlobalProtect with multiple authentication profiles for each SAML IdP

Multiple authentication mode Cloud Identity Engine authentication profile for use on the GlobalProtect portals and gateways

Authentication sequence that has multiple authentication profiles using different authentication methods

Multiple Cloud Identity Engine tenants for each business unit

Which two actions can a systems engineer take to discover how Palo Alto Networks can bring value to a customer's business when they show interest in adopting Zero Trust? (Choose two.)

Ask the customer about their internal business flows, such as how their users interact with applications and data across the infrastructure.

Ask the customer about their approach to Zero Trust, explaining that it is a strategy more than it is something they purchase.

Ask the customer about their internal business flows, such as how their users interact with applications and data across the infrastructure.

Explain how Palo Alto Networks can place virtual NGFWs across the customer's network to ensure assets and traffic are seen and controlled.

Use the Zero Trust Roadshow package to demonstrate to the customer how robust Palo Alto Networks capabilities are in meeting Zero Trust.

Ask the customer about their approach to Zero Trust, explaining that it is a strategy more than it is something they purchase.

A current NGFW customer has asked a systems engineer (SE) for a way to prove to their internal management team that its NGFW follows Zero Trust principles. Which action should the SE take?

Help the customer build reports that align to their Zero Trust plan in the 'Monitor > Manage Custom Reports' tab.

Use the 'Monitor > PDF Reports' node to schedule a weekly email of the Zero Trust report to the internal management team.

Help the customer build reports that align to their Zero Trust plan in the 'Monitor > Manage Custom Reports' tab.

Use a third-party tool to pull the NGFW Zero Trust logs, and create a report that meets the customer's needs.

Use the 'ACC' tab to help the customer build dashboards that highlight the historical tracking of the NGFW enforcing policies.

A company with Palo Alto Networks NGFWs protecting its physical data center servers is experiencing a performance issue on its Active Directory (AD) servers due to high numbers of requests and updates the NGFWs are placing on the servers. How can the NGFWs be enabled to efficiently identify users without overloading the AD servers?

Configure Cloud Identity Engine to learn the users' IP address-user mappings from the AD authentication logs.

Configure an NGFW as a GlobalProtect gateway, then have all users run GlobalProtect Windows SSO to gather user information.

Configure data redistribution to redistribute IP address-user mappings from a hub NGFW to the other spoke NGFWs.

Configure an NGFW as a GlobalProtect gateway, then have all users run GlobalProtect agents to gather user information.

As a team plans for a meeting with a new customer in one week, the account manager prepares to pitch Zero Trust. The notes provided to the systems engineer (SE) in preparation for the meeting read: 'Customer is struggling with security as they move to cloud apps and remote users.' What should the SE recommend to the team in preparation for the meeting?

Design discovery questions to validate customer challenges with identity, devices, data, and access for applications and remote users.

Lead with the account manager pitching Zero Trust with the aim of convincing the customer that the team's approach meets their needs.

Design discovery questions to validate customer challenges with identity, devices, data, and access for applications and remote users.

Lead with a product demonstration of GlobalProtect connecting to an NGFW and Prisma Access, and have SaaS security enabled.

Guide the account manager into recommending Prisma SASE at the customer meeting to solve the issues raised.

A prospective customer wants to validate an NGFW solution and seeks the advice of a systems engineer (SE) regarding a design to meet the following stated requirements:'We need an NGFW that can handle 72 Gbps inside of our core network. Our core switches only have up to 40 Gbps links available to which new devices can connect. We cannot change the IP address structure of the environment, and we need protection for threat prevention, DNS, and perhaps sandboxing.'Which hardware and architecture/design recommendations should the SE make?

PA-5445 or larger to cover the bandwidth need and the link types; Architect aggregate interface groups in Layer-2 or virtual wire mode that include 2 x 40Gbps interfaces on both sides of the path.

PA-5430 or larger to cover the bandwidth need and the link types; Architect aggregate interface groups in Layer-3 mode that include 40Gbps interfaces on both sides of the path.

PA-5445 or larger to cover the bandwidth need and the link types; Architect aggregate interface groups in Layer-3 mode that include 40Gbps interfaces on both sides of the path.

PA-5430 or larger to cover the bandwidth need and the link types; Architect aggregate interface groups in Layer-2 or virtual wire mode that include 2 x 40Gbps interfaces on both sides of the path.

The efforts of a systems engineer (SE) with an industrial mining company account have yielded interest in Palo Alto Networks as part of its effort to incorporate innovative design into operations using robots and remote-controlled vehicles in dangerous situations. A discovery call confirms that the company will receive control signals to its machines over a private mobile network using radio towers that connect to cloud-based applications that run the control programs.Which two sets of solutions should the SE recommend?

That 5G Security be enabled and architected to ensure the cloud computing is not compromised in the commands it is sending to the onsite machines.

That IoT Security be included for visibility into the machines and to ensure that other devices connected to the network are identified and given risk and behavior profiles.

That 5G Security be enabled and architected to ensure the cloud computing is not compromised in the commands it is sending to the onsite machines.

That Cloud NGFW be included to protect the cloud-based applications from external access into the cloud service provider hosting them.

That IoT Security be included for visibility into the machines and to ensure that other devices connected to the network are identified and given risk and behavior profiles.

That an Advanced CDSS bundle (Advanced Threat Prevention, Advanced WildFire, and Advanced URL Filtering) be procured to ensure the design receives advanced protection.

There are no Advanced Threat Prevention log events in a company's SIEM instance. However, the systems administrator has confirmed that the Advanced Threat Prevention subscription is licensed and that threat events are visible in the threat logs on the firewall.Which action should the systems administrator take next?

Ensure the Security policy rules that use Advanced Threat Prevention are set for log forwarding to the correct SIEM.

Enable the company's Threat Prevention license.

Check with the SIEM vendor to verify that Advanced Threat Prevention logs are reaching the company's SIEM instance.

Have the SIEM vendor troubleshoot its software.

Ensure the Security policy rules that use Advanced Threat Prevention are set for log forwarding to the correct SIEM.

A customer asks a systems engineer (SE) how Palo Alto Networks can claim it does not lose throughput performance as more Cloud-Delivered Security Services (CDSS) subscriptions are enabled on the firewall.Which two concepts should the SE explain to address the customer's concern? (Choose two.)

Management Data Plane Separation

A prospective customer has provided specific requirements for an upcoming firewall purchase, including the need to process a minimum of 200,000 connections per second while maintaining at least 15 Gbps of throughput with App-ID and Threat Prevention enabled.What should a systems engineer do to determine the most suitable firewall for the customer?

Download the firewall sizing tool from the Palo Alto Networks support portal.

Upload 30 days of customer firewall traffic logs to the firewall calculator tool on the Palo Alto Networks support portal.

Download the firewall sizing tool from the Palo Alto Networks support portal.

Use the online product configurator tool provided on the Palo Alto Networks website.

Use the product selector tool available on the Palo Alto Networks website.

According to a customer's CIO, who is upgrading PAN-OS versions, ''Finding issues and then engaging with your support people requires expertise that our operations team can better utilize elsewhere on more valuable tasks for the business.'' The upgrade project was initiated in a rush because the company did not have the appropriate tools to indicate that their current NGFWs were reaching capacity.Which two actions by the Palo Alto Networks team offer a long-term solution for the customer? (Choose two.)

Recommend that the operations team use the free machine learning-powered AIOps for NGFW tool.

Propose AIOps Premium within Strata Cloud Manager (SCM) to address the company's issues from within the existing technology.

Recommend that the operations team use the free machine learning-powered AIOps for NGFW tool.

Suggest the inclusion of training into the proposal so that the operations team is informed and confident in working on their firewalls.

Inform the CIO that the new enhanced security features they will gain from the PAN-OS upgrades will fix any future problems with upgrading and capacity.

Propose AIOps Premium within Strata Cloud Manager (SCM) to address the company's issues from within the existing technology.

A prospective customer is concerned about stopping data exfiltration, data infiltration, and command-and-control (C2) activities over port 53.Which subscription(s) should the systems engineer recommend?

App-ID and Data Loss Prevention

Advanced Threat Prevention and Advanced URL Filtering

Which statement appropriately describes performance tuning Intrusion Prevention System (IPS) functions on a Palo Alto Networks NGFW running Advanced Threat Prevention?

Create a new threat profile to use only signatures needed for the environment.

Leave all signatures turned on because they do not impact performance.

Create a new threat profile to use only signatures needed for the environment.

Work with TAC to run a debug and receive exact measurements of performance utilization for the IPS.

To increase performance, disable any threat signatures that do not apply to the environment.

A systems engineer (SE) successfully demonstrates NGFW managed by Strata Cloud Manager (SCM) to a company. In the resulting planning phase of the proof of value (POV), the CISO requests a test that shows how the security policies are either meeting, or are progressing toward meeting, industry standards such as Critical Security Controls (CSC), and how the company can verify that it is effectively utilizing the functionality purchased.During the POV testing timeline, how should the SE verify that the POV will meet the CISO's request?

Near the end, pull a Security Lifecycle Review (SLR) in the POV and create a report for the customer.

At the beginning, work with the customer to create custom dashboards and reports for any information required, so reports can be pulled as needed by the customer.

Near the end, the customer pulls information from these SCM dashboards: Best Practices, CDSS Adoption, and NGFW Feature Adoption.

At the beginning, use PANhandler golden images that are designed to align to compliance and to turning on the features for the CDSS subscription being tested.

Which three use cases are specific to Policy Optimizer? (Choose three.)

Discovering applications on the network and transitions to application-based policy over time

Converting broad rules based on application filters into narrow rules based on application groups

Enabling migration from port-based rules to application-based rules

Discovering applications on the network and transitions to application-based policy over time

Converting broad rules based on application filters into narrow rules based on application groups

Enabling migration from port-based rules to application-based rules

Discovering 5-tuple attributes that can be simplified to 4-tuple attributes

Automating the tagging of rules based on historical log data

A security engineer has been tasked with protecting a company's on-premises web servers but is not authorized to purchase a web application firewall (WAF).Which Palo Alto Networks solution will protect the company from SQL injection zero-day, command injection zero-day, Cross-Site Scripting (XSS) attacks, and IIS exploits?

Advanced Threat Prevention and PAN-OS 11.x

Threat Prevention and PAN-OS 11.x

Advanced Threat Prevention and PAN-OS 11.x

Threat Prevention, Advanced URL Filtering, and PAN-OS 10.2 (and higher)

Advanced WildFire and PAN-OS 10.0 (and higher)

When a customer needs to understand how Palo Alto Networks NGFWs lower the risk of exploitation by newly announced vulnerabilities known to be actively attacked, which solution and functionality delivers the most value?

Advanced Threat Prevention's command injection and SQL injection functions use inline deep learning against zero-day threats.

Advanced URL Filtering uses machine learning (ML) to learn which malicious URLs are being utilized by the attackers, then block the resulting traffic.

Advanced Threat Prevention's command injection and SQL injection functions use inline deep learning against zero-day threats.

Single Pass Architecture and parallel processing ensure traffic is efficiently scanned against any enabled Cloud-Delivered Security Services (CDSS) subscription.

WildFire loads custom OS images to ensure that the sandboxing catches any activity that would affect the customer's environment.

Palo Alto Networks PSE-Strata-Pro-24 Practice Test 1 - Free Online Exam Prep & Questions

Question 1 / 40

A large global company plans to acquire 500 NGFWs to replace its legacy firewalls and has a specific requirement for centralized logging and reporting capabilities.

What should a systems engineer recommend?

Combine Panorama for firewall management with Palo Alto Networks' cloud-based Strata Logging Service to offer scalability for the company's logging and reporting infrastructure.

Use Panorama for firewall management and to transfer logs from the 500 firewalls directly to a third-party SIEM for centralized logging and reporting.

Highlight the efficiency of PAN-OS, which employs AI to automatically extract critical logs and generate daily executive reports, and confirm that the purchase of 500 NGFWs is sufficient.

Deploy a pair of M-1000 log collectors in the customer data center, and route logs from all 500 firewalls to the log collectors for centralized logging and reporting.

Comment (0)

Palo Alto Networks PSE-Strata-Pro-24 Practice Test 1

Question

Palo Alto Networks PSE-Strata-Pro-24 Practice Tests

Practice Tests